Technical Tip: FortiGate Intermediate System-Intermediate System (IS-IS) configuration example
Description
This article provides an example scenario for Intermediate System-Intermediate System (IS-IS) routing and the FortiGate configuration required to configure it, as well as some corresponding debug commands for troubleshooting.
Scope
FortiGate, IS-IS.
Solution
For this example configuration, consider the following topology:
Expected outcomes:
- RTR1 and RTR2 will share their local subnets (10.1.1.0/24, 10.2.2.0/24, 10.3.3.0/24, and 10.4.4.0/24) to FGT1, and they must also receive the loopback subnet of FGT4 (10.60.60.1/32).
- FGT1 will redistribute connected, RIPv2, and OSPF routes into IS-IS Level 1 Area 0048, and likewise will receive any routes advertised from FGT2 and redistribute to RIP and OSPF.
- FGT2 will receive routes from FGT1 (via Level 1) and FGT3 (via Level 2) and will redistribute routes between both Levels for IS-IS Area 0048.
- FGT3 is a backbone router connecting to Areas 0048 and 0049 and will share routes between FGT2 and FGT4.
- FGT4 will share its loopback subnet and expects to receive the local subnets of RTR1 and RTR2.
Notes regarding IS-IS NET/NSAP assignments:
- IS-IS router identifiers are called Network Entity Titles (NETs), and these, in turn, follow the Network Service Access Point Address (NSAP) format (which is discussed in RFC 1195 Section 1.2).
- For this example configuration, AFI 49 (for the Authority and Format Identifier) will be used since it is designated for private networks. This also means that an Initial Domain Identifier (IDI) is not required to be configured.
- As such, the FortiGate in the above example will have the following NET assignments in the abbreviated format:
- <AFI><Area><System ID><NSEL>.
- FGT1: 49.0048.1921.6818.2136.00.
- FGT2: 49.0048.1221.6818.2110.00.
- FGT3: 49.0048.1921.6818.2108.00 and 49.0049.1921.6818.2108.00.
- FGT4: 49.0049.1721.0160.1004.00.
- The System ID may be any unique value for the router within the area, and the Area IDs are 0048 and 0049 in this scenario.
Configuration (only relevant parts shown):
FGT1:
config router isis set metric-style wide config isis-net edit 1 set net 49.0048.1921.6818.2136.00 next end config isis-interface edit "port3" set status enable set network-type broadcast set circuit-type level-1 next end config redistribute "connected" set status enable end config redistribute "rip" set status enable set level level-1 end config redistribute "ospf" set status enable set level level-1 end config redistribute "static" set status enable set level level-1 end end config router rip config network edit 1 set prefix 10.10.10.0 255.255.255.0 next edit 2 set prefix 10.30.30.0 255.255.255.0 next end config redistribute "isis" set status enable end config interface edit "port2" set receive-version 2 set send-version 2 next end end config router ospf set router-id 10.20.20.1 config area edit 0.0.0.0 next end config ospf-interface edit "port5" set interface "port5" next end config network edit 1 set prefix 10.20.20.0 255.255.255.0 next edit 2 set prefix 10.30.30.0 255.255.255.0 next end config redistribute "isis" set status enable end end
FGT2:
config router isis set metric-style wide set redistribute-l1 enable set redistribute-l2 enable config isis-net edit 1 set net 49.0048.1221.6818.2110.00 next end config isis-interface edit "port2" set status enable set network-type broadcast next edit "port3" set status enable set network-type broadcast set circuit-type level-1 next end end
FGT3:
config router isis set is-type level-2-only set metric-style wide config isis-net edit 1 set net 49.0048.1921.6818.2108.00 next edit 2 set net 49.0049.1921.6818.2108.00 next end config isis-interface edit "port2" set status enable set network-type broadcast next edit "port3" set status enable set network-type broadcast next end end
FGT4:
config router isis set is-type level-2-only set metric-style wide config isis-net edit 1 set net 49.0049.1721.0160.1004.00 next end config isis-interface edit "port3" set status enable set network-type broadcast next end config redistribute "connected" set status enable end
Verification:
Verifying that RTR1 receives the loopback subnet from FGT4, along with the other IS-IS routes:
RTR1 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area V - BGP VPNv4 * - candidate default Routing table for VRF=0 C 10.1.1.0/24 is directly connected, VLAN11 C 10.2.2.0/24 is directly connected, VLAN22 C 10.10.10.0/24 is directly connected, port2 R 10.30.30.0/24 [120/2] via 10.10.10.1, port2, 00:00:43, [1/0] R 10.40.40.0/24 [120/2] via 10.10.10.1, port2, 04:00:07, [1/0] R 10.50.50.0/24 [120/2] via 10.10.10.1, port2, 02:19:57, [1/0] R 10.60.60.1/32 [120/2] via 10.10.10.1, port2, 01:17:57, [1/0] <--- FGT4 Loopback Subnet C 10.254.254.0/24 is directly connected, port1
Note: Filtering out routes (such as the subnets connecting FGT1, FGT2, and FGT3 together) can be done via outbound route-map on FGT1.
Verifying IS-IS router information on FGT2 (acting as a Level 1-2 router):
get router info isis interface <name>
FGT2 # get router info isis interface port2 port2 is up, line protocol is up Routing Protocol: IS-IS ((null)) Network Type: Broadcast Circuit Type: level-1-2 <--- to FGT3, inherits is-type level-1-2 Local circuit ID: 0x01 Extended Local circuit ID: 0x00000004 Local SNPA: 0209.0f00.0102 IP interface address: 10.40.40.2/24 IPv6 interface address: fe80::9:fff:fe00:102/64 Level-1 Metric: 10/10, Priority: 64, Circuit ID: 1221.6818.2110.01 Number of active level-1 adjacencies: 0 Level-2 Metric: 10/10, Priority: 64, Circuit ID: 1921.6818.2108.01 Number of active level-2 adjacencies: 1 Next IS-IS LAN Level-1 Hello in 1 seconds Next IS-IS LAN Level-2 Hello in 1 seconds FGT2 # get router info isis interface port3 port3 is up, line protocol is up Routing Protocol: IS-IS ((null)) Network Type: Broadcast Circuit Type: level-1 <--- to FGT1, set to circuit-type level-1 Local circuit ID: 0x02 Extended Local circuit ID: 0x00000005 Local SNPA: 0209.0f00.0103 IP interface address: 10.30.30.2/24 IPv6 interface address: fe80::9:fff:fe00:103/64 Level-1 Metric: 10/10, Priority: 64, Circuit ID: 1221.6818.2110.02 Number of active level-1 adjacencies: 1 Next IS-IS LAN Level-1 Hello in 1 seconds
get router info isis neighbor
FGT2 # get router info isis neighbor System Id Interface SNPA State Holdtime Type Protocol 1921.6818.2108 port2 0209.0f00.0202 Up 8 L2 IS-IS 1921.6818.2136 port3 0209.0f00.0003 Up 26 L1 IS-IS
get router info isis route
FGT2 # get router info isis route Codes: C - connected, E - external, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, D - discard, e - external metric Area (null): Destination Metric Next-Hop Interface L1 0.0.0.0/0 10 10.30.30.1 port3 L1 10.1.1.0/24 10 10.30.30.1 port3 L1 10.2.2.0/24 10 10.30.30.1 port3 L1 10.3.3.0/24 10 10.30.30.1 port3 L1 10.4.4.0/24 10 10.30.30.1 port3 C 10.30.30.0/24 10 -- port3 C 10.40.40.0/24 10 -- port2 L2 10.50.50.0/24 20 10.40.40.3 port2 L2 10.60.60.1/32 20 10.40.40.3 port2 L2 10.254.254.0/24 20 10.40.40.3 port2
Verifying that FGT4 received the subnets advertised by RTR1 and RTR2 via IS-IS:
FGT4 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area V - BGP VPNv4 * - candidate default Routing table for VRF=0 i*L2 0.0.0.0/0 [115/30] via 10.50.50.3, port3, 01:33:53, [1/0] <--- received from FGT1 (static route redistribution into IS-IS) i L2 10.1.1.0/24 [115/30] via 10.50.50.3, port3, 01:33:53, [1/0] <--- RTR1 i L2 10.2.2.0/24 [115/30] via 10.50.50.3, port3, 01:33:53, [1/0] <--- RTR1 i L2 10.3.3.0/24 [115/30] via 10.50.50.3, port3, 01:33:53, [1/0] <--- RTR2 i L2 10.4.4.0/24 [115/30] via 10.50.50.3, port3, 01:33:53, [1/0] <--- RTR2 i L2 10.30.30.0/24 [115/30] via 10.50.50.3, port3, 01:33:53, [1/0] i L2 10.40.40.0/24 [115/20] via 10.50.50.3, port3, 01:33:53, [1/0] C 10.50.50.0/24 is directly connected, port3 C 10.60.60.1/32 is directly connected, loopback C 10.254.254.0/24 is directly connected, port1
Troubleshooting commands for IS-IS:
Checking current IS-IS state information:
FGT1 # get router info isis ?
interface show isis interfaces
neighbor show CLNS neighbor adjacencies
is-neighbor show IS neighbor adjacencies
database show IS-IS link state database
route show IS-IS IP routing table
topology show IS-IS paths
Displaying live-debug output from IS-IS daemon:
diagnose ip router isis level info
diagnose ip router isis all enable
diagnose debug console timestamp enable
diagnose debug enable
Stopping live-debug output:
diagnose debug disable
diagnose ip router isis level none
diagnose debug reset
Performing packet-captures for IS-IS control traffic:
IS-IS does not utilize IP addressing and communicates via Ethernet at Layer 2. To do this, it utilizes the following multicast MAC addresses as the destination for outgoing frames:
- 01:80:c2:00:00:14 - All Level 1 IS-IS routers.
- 01:80:c2:00:00:15 - All Level 2 IS-IS routers.
-
09:00:2b:00:00:05 – All IS devices
The FortiGate packet sniffer command can be filtered for MAC addresses via the ether host filter keyword. For more information on MAC address-filtered packet captures, refer to the following KB article: Technical Tip: How to sniff packets by MAC Address on FortiGate with CLI commands.
Related documents:
- FortiOS v6.0 Handbook: IS-IS.
- Technical Tip: How to change the IS-IS metric style
- Troubleshooting Tip: Resolving IS-IS and BGP Parse Error Alarms on FortiGate
- Technical Tip: Solving IS-IS FortiGate to Cisco adjacency issue when jumbo frames are used
- Technical Tip: IS-IS neighbors stuck in INIT state when there are more than 42 neighbors